What's New in Signing for Xcode and Xcode Server

Learn about new advances in Xcode's support for code signing, including more powerful distribution signing, better integration with Xcode Server, and more control for working with manual signing assets.

WWDC 2016

Thank you.
It's good to be here.
We have some very great stuff
for you, today.
Last year we unveiled automatic
signing.

And it's great.
Automatic signing was a major
leap forward in the ease of use
for how you sign your app.
Today, we're taking the next
step.

We're making it possible to use
automatic signing for
distribution, XCode Build, and
XCode Server.
So, what exactly are we going to
talk about, today?
First thing, is I'm going to
very briefly review the
fundamentals of signing and how
it works on our platforms.
Next, I'm going to show you how
to set up XCode Server to
perform development signing so
that you can regularly run tests
on the device.

Then, I'm going to show you some
of the great changes that we've
been making to manual signing.

Itai is going to come up and
show you all of the great
changes we've been making to
distribution and distribution
signing.
And Brent will come up to show
you how to set up XCode Server,
and for the first time, perform
distribution signing.

So, before we get in too deep, I
would like to take a moment to
remind us why we do this.

Why do we code sign?
Well, the simple answer is that
code signing protects us.

It protects us as users, it
protects us as developers.
And all of us are users.

All of us download apps from the
store, and we're sure that, that
app came from the developer that
wrote it, because of code
signing.
And every app that we download
from the store, we're sure that
Apple has approved that, that
app is allowed to use special
system services.
We can trust the security and
the privacy of our devices
because of code signing.
So, how does this actually work?
Well, every app had a code
signature.
And when the app is run, the
system checks for a couple
things.
It first checks that, that
signature is valid.

That it hasn't been tampered
with since it came from the
original developer.

And that, that app is allowed to
use special system services,
like App Groups.

And the signature also tells us
if it's been provisioned for
this device.

If it's for development, it's
been provisioned for a couple
devices.

And if it's for the App Store,
that code signature says it can
run on any device.

Our good friends, the signing
certificate, a provisioning
profile, and entitlements.

Now, I'm going to spare you a
very detailed explanation of how
all of this works.

But I would like to refer you to
last year's talk, What's New in
XCode App Signing, where we go
into great detail about how this
works with our platforms.
And how it works with XCode 8.

What I will say is that
collecting all of these assets,
it's not that much fun.

It's complex.
Which is why in XCode 8, we
introduced a solution to manage
all of this complexity,
automatic signing.
When you enable automatically
managed signing, XCode will
automatically create app IDs.
It will create certificates.

It will update provisioning
profiles.
It will update entitlements.

It will do all of that stuff you
don't want to deal with, so that
you can get on with your
development.
Enabling automatic signing is
really the way to go.

And I'm pleased to announce that
in XCode 9, all of this great
functionality is available in
XCode Server.
And we know that there are
certain situations in which
you'd like to directly
manipulate your signing
configuration.

So, we also have manual signing
support in XCode Server.
So, for those of you who don't
know, I hope you know that XCode
Server is the continuous
integration service powered by
XCode.
And now, it is built right into
XCode.

You no longer need to have
Server app installed.
If you've used this before, this
is a huge convenience.
It has never been easier to get
going with continuous
integration.
And XCode Server allows you to
very easily set up testing on
the Simulator and on the device.
Now, testing on the device
requires code signing.

So, I'd like to explain how code
signing fits into the greater
picture of XCode Server.

When you're working on your app
in XCode, you work on a project
and you upload updates to that
project to a remote repository.
You then, set up XCode Server
with a bot to pull from that
repository, build your app, and
run tests on the device.
And running on a device requires
a code signature.
And XCode composes that code
signature using those essential
ingredients, the provisioning
profile and a signing
certificate.

So, how are we going to get
those onto XCode Server?
Well, the good news is if you
have targets enabled with
automatic signing, this can just
happen for you.

XCode Server will automatically
create certificates, it will
update provisioning profiles, it
will register devices.
All so, that signing can be
performed.

This is really fantastic.
And if you have manual setup for
your targets.

XCode Server now has UI for you
to send any certificates from
your administrative Mac over to
the server that will be
performing integrations and code
signing.

So, XCode Server now has support
for automatic and manual
signing.

Now, XCode Server is able to
make use of automatic signing,
because you join XCode Server to
your team as another member.
You do this during XCode Server
setup, if you're a team agent or
admin.
And XCode Server now supports
logins from Apple IDs with
two-factor authentication.
Now, all of this great signing
functionality is available to
XCode Server because XCode
Server, under the hood, calls
out to the command line tool,
XCode Build.
Which means that XCode Build now
offers command line support for
automatic signing repairs.
And this is huge.
Now, if you have a third-party
continuous integration service,
you should listen up.
Because what this means is that
XCode Build can now update
provisioning profiles, it can
download them, it can create
certificates.
All that magic that happens in
the UI, can now happen on the
command line.
And you enable this in XCode
Build by passing the flag
allowProvisioningUpdates.
And we've added some extra
automation.
If you have a device connected
to your Mac, you can have it
automatically registered with
your team without interaction,
if you also pass the flag
allowProvisioningDevice
Registration.
So, very cool.

So, as I've said, setting up
XCode Server is super easy, now
that it's built right into XCode
9.
I'd like to show you how you set
up XCode Server, briefly, so
that I can show you how to set
up signing for that server.
So, the first step is opening up
the Preferences of XCode.
And all the way to the right, we
have a new tab, Server and Bots.

That's where you turn on XCode
Server.
The next step is opening up the
Accounts pane, where you can add
a client account.
That way you can view your
server working.
The next step is opening up your
project and using the Product
menu to create a Bot.
And then, in the Reports
navigator, you can view all the
integrations that your Bot have
been running.
You can see all the servers and
Bots.
And each integration, you can
see whether your project is
built, whether tests you have,
have run, whether they've
succeeded or failed.

That's what you can see, here.
And now, when you set up XCode
Server, there's a new tab, the
Signing tab.
This is what it looks like.
This gives a number of options
so that you can set up XCode
Server to be powered to use
automatic signing.

This first checkbox, Allow XCode
Server to manage my certificates
and profile, will give XCode
Server the power to use
automatic signing for any of
those targets in which it's
enabled.
And you authorize that, again,
by adding XCode Server to your
team.
And you do that, here.
And then, there is this other
checkbox, Automatically add
missing devices to my developer
team.

This will automatically register
any devices connected to your
Mac, without interaction.

And those two checkboxes in the
UI mirror those flags, allow
provisioning updates, and allow
provisioning device registration
for XCode Build.
So, I've said enough.

Why don't I actually show you
this working?
Okay. So, I have opened up XCode
to my project, ChocolateChip.
And I've already set up Server
with a Bot to perform
integrations on the Simulator.
So, I've just purchased this
shiny new device, and I'd like
to run tests on the device.
In order to do that, I need to
enable XCode Server to make use
of automatic signing.
So, first step is clicking on
the Reports navigator.

And you can see here, the server
that I've created.
The Bot.

And the one integration that's
run.
And I'm going to Control Click
and bring up the Bot editor.
So, my first step will be
clicking on the Devices tab,
where you can see that I've set
up XCode Server to run tests on
the iPhone SE Simulator.

I'm going to change that,
instead, to run on any device
that's connected to the Mac.

Next, in the Signing tab, you
can see what we've been talking
about.

I'm going to allow XCode Server
to create certificates and
profiles.

I'm going to add XCode Server to
my team.
And I'm going to allow XCode
Server to automatically register
any device that's connected,
including this one.

All right.
So, we're all ready to get
started testing on the device.

I'm going to manually initiate
an integration.
So, what's happening, now, is
XCode Server is downloading the
project from the repository.
It's building the app.

It's creating a certificate,
registering my device, adding
that device to the profile,
downloading the profile and
signing it.
All so that we can run tests on
the device.
And normally, I would say, don't
watch your Bot, it's not that
much fun.
You can let this automate itself
in another room.

But after a certain amount of
bake time, our cookies will be
done.

And there we go.
All two of my tests have passed.
I'm in very good shape.

So, you've just seen how you can
set up XCode Server to
automatically perform
development signing so that you
can run tests on the device.
Now, we really like automatic
signing.
We don't want you to be consumed
with managing all of these
assets.
We want to be coding.
We want you to be coding, as
well.
Setting automatic signing.
I do t it.

We suggest everyone do it.
However, we know that there are
certain situations in which you
may want to directly manipulate
your signing configuration.
And for that, we have manual
signing.
And now, we've improved it.
We've added some improvements to
the certificates sheet in the
Accounts Preferences.
Now, this sheet will tell you
what certificates you've created
on your Mac and other Macs that
you own.

That's the developer's
certificates, above.
And in the section below, you
can see all of the distribution
certificates that have been
created by anyone on your team.

Whether they're on your machine
or not.
And we've improved the
visibility, here.
Now, you can see when a
certificate is missing a private
key or it's been revoked.
And we even include the creator
of the certificate, and you can
email the creator of that
certificate, right from the
sheet and ask them to share it
with you.
In the Project Editor when
you're using manual, you select
a profile, yourself.
And we've added a new menu item,
Download Profile.
It'll bring up a sheet that
looks like this.

And you can see, on the left, a
list of eligible profiles from
profiles that I've created on
the portal.
And these are profiles that are
eligible for my target.

When I've selected one, you can
see a detailed view of that
profile and see how it compares
with your target.
Whether the capabilities match.
Even if the device is connected,
you can see if that device is in
the profile.
This is a major improvement for
finding the right profile before
you select it and try to sign
with it.

And if you have a profile
selected, already, but it's not
installed locally on your
machine, XCode will offer to
download that profile for you.
Which, we know it will work.

Now, we know that you're still
in manual.
We're not interested in touching
your project state or your
portal state.
We're very clear about this
distinction.
This is really just a
convenience.

And of course, in XCode Server,
we also have manual support.
Under the Signing tab you'll see
tab that's like this, the
Certificates and Profiles tab,
where you can see a list of the
certificates and profiles
installed on your local machine.
That you can send over to your
server to perform manual
signing.
So, when you are using manual
signing, we recommend using the
General tab to make any changes
to your signing setup.

However, if you have automation
or you just don't want to use
the UI, we have build settings
for extra flexibility.
In XCode 8, we introduced
Development Team, that's to set
the team identifier.
Provisioning Profile Specifier,
to set the profile by name, and
Code Sign Identity, to set the
certificate.
And in XCode 9, we're
introducing a new build setting,
Code Sign Style.
You can use Code Sign Style to
set the style to automatic or
manual at the target or build
configuration level.

We think that this is exciting,
but it's for advanced use cases.
For most cases, you should be
able to set your entire target,
keep it set, to automatic.
Well, you've seen just about all
there is for development
signing.
We've made a lot of great
improvements to distribution and
distribution signing.
For more on that, please give a
warm welcome to my friend Itai
Rom.
Thank you, Chris.
Good afternoon, everyone.
So, Chris just showed you all
the improvements we've made when
you're development signing your
app.

I'd like to change gears a bit,
and talk about distribution.
Now, when you're ready to share
your app with others, the first
thing you need to do is build an
archive.

An archive is a special release
build of your application.
And we recommend development
signing it.
In fact, that's the default
setting.

Now, the reason that we
recommend that is so that any
developer on your team can
easily build an archive and
share it with other.
Without needing access to any
special distribution signing
certificates.
The archive contains both the
machine code and bitcode of your
app, as well as your debugging
symbols, all bundled up
together.
And once you've built one of
these you can use XCode's
Organizer window to generate an
IPA and upload it to the App
Store.

When you generate that IPA,
XCode will distribution sign
your app according to App Store
requirements.
So, this is the other part of
why you can development sign
your archives.
Because XCode will resign your
app when you distribute it.

In fact, you can distribute your
archive in a variety of ways.
You can ad hoc distribution sign
it if you want to share the app
with other people on your team
or your QA engineers.

Or if you're a member of the
Enterprise Developer program,
you can enterprise sign it and
share the app with other
employees in your company.
Now, in addition to the
distribution method there are a
lot of other choices you need to
make when you distribute your
app.
You need to choose how you want
to sign it, which profiles to
use, which entitlements it
needs.
If you're using bitcode app
thinning or on-demand resources,
then you also need to decide how
you want to handle those
features.
And if you're uploading to the
App Store, then you need to
decide whether you want to
include symbols or not.
So, this can get quite complex.

I'm pleased to announce that in
XCode 9 we've made some major
improvements to the distribution
workflow that'll make is easier
than ever before to share your
apps with others.

While also giving you more power
and control over the process.
Now, the first thing we've added
is automatic signing.
This works just like during
development.

So, XCode will take care of all
the distribution signing details
for you.

And you can focus on other
tasks.
In addition to automatic
signing, for those of you who
want full control we've added
manual signing to the
distribution workflow.
So, now you can create your own
distribution profiles and tell
XCode which ones to use.
But XCode will never create or
modify any of those profiles.

In addition to automatic and
manual signing, we've made a lot
of other improvements.

We've streamlined the
distribution workflow.
So, for example, XCode won't ask
you which development team you
want to use, anymore.
Because it already knows the
answer.
Yeah.
We've also improved the
visibility of errors.
So, now it's easier to tell what
went wrong when you run into a
problem, and what you need to do
to resolve it.

We've enhanced export
functionality.
So, now in XCode 9, once you've
uploaded your app to the App
Store, you can save a copy of
your IPA in case you need to
refer back to it, later on.
And finally, we've enhanced the
command line support in XCode
Build, so that you can take
advantage of all of these new
features in your automation.

Let's dive into automatic
signing, a little bit more.
This works just like development
signing.
XCode will create XCode managed
distribution profiles.

These are profiles that are
completely under XCode's
control.

And they're the only profiles
that XCode will use for
automatic distribution signing.

It will never touch or use any
of your manually made profiles.
In addition, XCode will make it
easy to create and share your
distribution certificates.
These are different from
development certificates,
because they're team owned
signing assets.

So, it's really important that
you know when you've created one
and you save it, so that you can
reinstall it later or share it
with others.
And finally, last but not least,
for those of you with carefully
crafted signing setups, in XCode
9, XCode will never offer to
revoke a distribution
certificate.
Yeah. So, we're all very happy
about that one.
So, you don't have to worry
about any enterprising member of
your team ruining your carefully
crafted setup through XCode,
anymore.
So, here's an example of the
improved Air presentation.

This is a common and potentially
confusing situation.
Someone on your team has already
created a distribution
certificate, but you don't have
that certificate.

Or, more likely, you don't have
its private key.
Well, now XCode 9 tells you
exactly who created those
certificates, makes it really
easy to contact them.

So, you can get the information
you need to finish the workflow.
Now, that's just one example.

There are many others throughout
the distribution workflow of
improved errors.

The enhanced export
functionality.
So, as I mentioned earlier, now
it's easy to save aside a copy
of your IPA after you've
uploaded it to the App Store.

But you get more than that.
We also give you a distribution
summary PLIST.

So, just like a receipt it shows
you all the content in your IPA,
how XCode resigned it, which
entitlements it has, and so on.
You also get a packaging log,
which is like a build log.

It shows you, step by step, all
of the commands that XCode
issued when it transformed your
archive into an IPA.
And you get an export options
PLIST.

So, this last one is kind of
interesting.
An export options PLIST is like
a recipe.
It describes how you want to
transform your archive into an
IPA.
And when you want to automate
the process of generating IPAs,
which you do, is you invoke
XCode Build and give it one of
these export options PLISTs.

Now, in XCode 9, it's really
easy to create these, because
the distribution workflow will
generate one for you.
So, you don't need to manually
edit these PLISTs, anymore.

Here's an example of what one
looks like.
This is a really simple export
options PLIST.
As you can see, I've set up
automatic signing and I'm
exporting for the App Store.
And this last key in their
upload symbols, I actually don't
even need to include that.
Because it defaults to Yes.
Now, there are a lot of options
that you can specify in these
files.
You can invoke XCode Build dash
Help in terminal, to see
everything that you can include
in an export options PLIST.

But most of the options have
sensible defaults.
When you're ready to use this,
all you do is invoke XCode Build
dash export archive, pass the
path of your archive and the
path to your export options
PLIST.
And XCode Build will generate an
IPA for you.
Now, there's one other thing.
As you'll recall from Chris's
section, we've added a new flag
to XCode Build called
allowProvisioningUpdates.

And you can use that here, as
well.
So, that XCode Build will
automatically generate
distribution provisioning
profiles for you.

Anything that's necessary in
order to generate your IPA.
So, let's take a look at the new
distribution workflow in action.
Okay. So, here's our
ChocolateChip app, which we've
been working on for a while.
And as you can see, our
extensive two test suite is
passing.
So, now we're ready to upload it
to the App Store.

I'm going to start that off by
clicking product and creating an
archive.

And XCode's going to do that
release build of my app, bundle
it all up, and then show me the
archive once it's completed, in
the Organizer window.
From here, I can easily upload
it to the App Store by clicking
this very shiny enticing blue
button.

And when I click that, the
distribution workflow will drop
down.

Now, XCode's going to start by
analyzing some of the content in
my archive.

And that includes how my app was
signed.
So, that's how XCode knows which
development team I'm using.
It just reads the signature of
my archived app.

It also determines which options
to show me on the next screen.
This content is going to vary,
depending on what's in your
archive, as well as the
distribution method you choose.

So, if I had chosen ad hoc
distribution, then I'd see some
different options in here.

so, in this case, I have a
bitcode option, because my app
contains bitcode.

I also have a new Scrip Swift
symbols option.
What this is going to do, is it
allows the App Store to scrip
Swift symbols from the Swift
standard libraries in my app.

And that's going to greatly
reduce the download size of my
app for my customers.

So, I'm going to leave that on.
I also have the option to upload
symbols, which will allow me to
receive symbolicated crash
reports from Apple.
So, I'll leave that on, as well.

And click Next.
The next step is where I can
choose how I want to resign my
app.
I'll talk a little bit more
about manual signing, later.

For now, we'll stick to
automatic.
And XCode's going to start
talking to the developer website
and figure out how to resign my
app.

The first thing it looks for is
a distribution signing
certificate.

Now, in this case, my team
hasn't actually created one,
yet.

So, XCode tells me about that
and asks me if I want to create
one.

So, now XCode won't just create
one behind my back.
I'm fully aware that I'll have a
distribution certificate, and
all I need to do is give XCode
permission and click Next.

And XCode will generate it.
After that, XCode will ask me if
I want to export my certificate.

Like I said earlier, this is
really important, because these
are team owned assets.

And there might be other people
on my team who need to also
distribution sign.

Or I might need to reinstall the
certificate, later.
So, we really recommend
exporting a copy of your
certificate.
For now, since this is a demo,
I'll click Next.
And now, XCode's going to
continue talking to the portal,
generating my distribution
provisioning profiles.
I'll allow Codesign to use my
newly created signing
certificate.
That's how you can tell this is
live.
And once XCode is done it'll
show me details about the IPA
that it's created.
I can see all the content in my
IPA, including my framework, my
app extension, and my watch app.
Right in here I can see how
they're signed, and I can double
check that the entitlements are
correct.
So, this gives me a chance to
make sure my app is all correct
before I upload it to the App
Store.

Once I'm sure it fine, I'll
click Upload and XCode will
upload my app to the store.

Now, in the past, once this
completes this is where the
workflow would end in XCode.

But now, there's one additional
thing I can do, here.
I can export.

So, when I select Export and
save to the desktop, XCode will
generate a new directory
containing my IPA as well as all
of those other files, including
an export options PLIST that I
mentioned, earlier.
So, that's the new distribution
workflow using automatic signing
in XCode 9.
Now, let's talk a little bit
about manual signing.

Manual signing also works just
like during development.
You or someone on your team will
create provisioning profiles,
and then you can select them in
the XCode distribution workflow.

XCode won't ever create or
modify any of these manual
profiles.

So, you're in full control.
This is fully compatible with
XCode Build.

So, you can still automate the
creation of your IPAs if you
want to use manual signing.

But there's one note.
If your archive was manually
signed when you built it, then
you also need to manually sign
when you distribute.
So, how do you use manual
signing?
You'll recall this screen from
my demo, a moment ago.

If you choose manual signing,
click Next.
Then, you'll be greeted with
this interface.
This is really similar to the
signing UI that you see in the
General tab in XCode's project
editor.
You can select the distribution
certificate you want to use.
And then, profiles for each of
the items in your app.

When you pop open those popup
menus, you see the profiles that
are eligible, ineligible.

You can import profiles or
download profiles form the
portal directly within the
distribution workflow.
And if you select an ineligible
profile you'll see issues
associated with that selection
right underneath your selection.
Once you've selected valid
profiles for everything in your
app, you can click Next and
continue with the workflow.

And as I said, this is all fully
compatible with XCode Build.
All you need to do is specify a
couple of additional keys in
your export options PLIST.
So, you can see here, I've set
Signing Style to manual.
And I've also provided a
provisioning profiles entry that
lists all the items in my app by
bundle identifier, and all the
profiles I want to use.

And that's it.
Now, I'm set up for automation.
So, that's the new distribution
workflow in XCode 9.
We think you're all really going
to love it.

And now, I'd like to invite
Brent onstage to talk about
distribution signing in XCode
Server.
Thank you, everyone.

I'm really excited to be here,
today, because for the first
time in public we're going to
show you how you can use an
XCode Server to automatically
create distribution signed IPAs
for you.
This is really exciting.
It's a missing piece of the
puzzle and we finally delivered
it, and it's really great.
But first, how did we do this?
Well, in XCode 8 and XCode 9, we
introduced great automatic
signing workflows in XCode.

And XCode Server gets all of
that for free.
Likewise, all of the
distribution workflows and that
underlying technology, XCode
Server also gets that from
XCode.
So, we have automatic signing,
we have distribution, we have
XCode Server, we have great
workflows for development.
And distribution signing.

How does this all work?
So, Chris showed you a slide
that looked a little bit like
this.
And it's important to understand
how XCode Server does this job.

In order to sign an archive to
create an IPA from it for
distribution, XCode Server needs
some special assets.
Just like for development, it
needs signing certificates and
it needs provisioning profiles.
Now fortunately, we've made this
very easy.

If you allow XCode Server to
communicate with the developer
portal on your behalf, it can
get most of these things for
you.
It can get the provisioning
profiles automatically.
But there's one thing it can't
get, and that's the distribution
signing certificate.
That's really no big deal,
because we provide a great
experience for you to share this
with your server.
So, once your XCode Server has
all of these assets it can build
an archive.
And then, it can transform that
archive into an IPA for
distribution to the App Store.
So, what do you need to do?
You need to copy distribution
certificates to the server.
You need to make sure that
automatic signing is turned on.
But this will also work for
manual.

I'll show you that.
And then, thirdly, there's this
export options PLIST that I
talked to you about.
So, what's that all about?
Well, the export options PLIST
is just a simple recipe for how
you want XCode Server to
transform your archive into an
IPA.
They can be very simple, and the
can also scale up to some more
complex manual signing
scenarios, too.
So, I've been saying App Store a
lot, but I want to emphasize
that what we've built here, lets
you distribute for all of the
distribution methods.
So, if you're doing enterprise
or ad hoc or App Store, or
whatever, this would just work.
So, we think that's really
great.

So, let's see this in action.
So, here's our ChocolateChip Bot
that's been dutifully building
our app and running tests on
devices for two months, now.
So, what I want to do is I want
to repurpose this Bot to build
IPAs for me.
Now, we recommend as a best
practice that you create a
dedicated Bot for this purpose,
for creating IPAs.

But I'm just going to repurpose
this one for demo purposed,
today.

So, we'll go and edit the Bot.
There a lot of options in the
Bot editor.

But what we need to do today is
pretty simple.
First, we're going to visit the
Configuration tab.
And in here, we're going to turn
on Archiving.

Now, ever since XCode 5, when we
introduced XCode Server, it's
been able to create archives for
you.
And there have been a lot of
great workflows, there.

For example, you can create
archives and then do
over-the-air installs with XCode
Server.
And that's been great.
You can still do that.

But there's one new option that
we've added, here.
And that's what enables XCode
Server to create this
distribution signed IPA for you.
So, that's the final option,
here.
Use custom export options PLIST.
Well, where do I get one of
those?
Itai, being the great guy that
he is, you may remember he
exported that for me after he
uploaded his app to the App
Store.

So, I'll go and I'll select
that, now.
So, it's a good idea at this
point, that you verify that this
is the right export options
PLIST.

So, conveniently, you can just
click like it.
This is a pretty simple example
of an export options PLIST.
But you may remember from one of
Itai's slides, if you have some
more complex manual workflows
you would end up, perhaps,
having specific provisioning
profiles, here.
And other things you can do.
So, it's a good idea.

Just verify that this is the
right export options PLIST.
So, we've done that.

And that's it for the
Configuration tab.
Let's visit the Signing tab.

So, this is brand new in XCode
9, and we're pretty excited.
Because this is how you
configure XCode Server to do
both development signing and
distribution signing.

So, these two checkboxes at the
top, Chris already checked for
us.

And remember, the top one lets
XCode Server communicate with
the developer website on my
behalf.
My team is already added to the
server.

And even if you have a manual
distribution workflow, it's
really a good idea that you
still have this checkbox
checked.
So, now let's visit the
Certificates and Profiles tab.
So, what's in here?
There are two tables at the top.

Shows me all the certificates
that are installed on this
machine.

And the bottom are the
provisioning profiles.
And what I need to do, is I need
to share the distribution
certificate with my server.
That's real easy.

Just click add the server, and
it's done.
That's all I need to do.

And now, XCode Server has access
to that distribution
certificate.

And because I've allowed it to
talk to the developer website on
my behalf, it can get all the
assets it needs to create that
IPA.
You may be wondering what I need
to do with the provisioning
profiles table.
Well, for most of you if you're
doing automatic code signing,
and you're doing App Store
distribution, you don't need to
do anything.
But if you're targeting one of
those other distribution
methods, or you've specified
particular profiles in that
export options PLIST that we
looked at.
You're on the hook for making
sure your server has those
provisioning profiles.
Again, that's really easy.
Any profile you want to share,
you just click Add the Server,
and that will share it with your
XCode Server.

And now, this is the moment
you've been waiting for.
Let's integrate this Bot and
watch it create two things.
It's going to create an archive.
And then, it's going to
transform that archive into a
distribution signed IPA that I
can then upload to the App
Store.
And there it is.
So, for the first time.

This is a really exciting
development in XCode Server, and
it's going to save you a lot of
time.
So, code signing.

Code signing is really
important.
And we should feel fortunate as
developers and users that we're
using platforms where code
signing is an integral part of
the experience.
It keeps us safe.
It keeps us secure.

We know it's hard to get right.
But in XCode 8 and XCode 9 we've
put a ton of work into providing
really great solutions for you.
And we think it's easier than
ever.

So, we have development signing
with XCode Server, for your day
to day development.

And testing on devices.
We've also done a lot of work
for manual signing, because we
know that's important to a lot
of you.
We've made bit improvements to
the distribution workflow in
XCode.
And of course, we've brought
that distribution workflow to
XCode Server.
So, that's it.

There are a lot more related
session, this week, no this
topic.

Thanks for attending.
Have a great week.

Looking for something specific? Enter a topic above and jump straight to the good stuff.